around_render HTML-Safety Bypass
Published: June 04, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54498 (NVD)
- GHSA: GHSA-97jw-64cj-jc58
GEM
SEVERITY
CVSS v3.x: 8.7 (High)
UNAFFECTED VERSIONS
< 4.0.0
PATCHED VERSIONS
>= 4.12.0
DESCRIPTION
Summary
ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data.
The issue is especially dangerous in collection rendering because ViewComponent::Collection#render_in joins the per-item results and marks the entire output as html_safe, converting raw unsafe output into a trusted ActiveSupport::SafeBuffer.
